Management Advisory Report: A Guide for Assessing Cybersecurity Within the Office of Inspector General Community [open pdf - 2MB]
From the Executive Summary: "The guide will assist information technology auditors in evaluating the cybersecurity policies, practices, and system security controls implemented to protect Federal computer systems and networks from cyber threats and vulnerabilities. It also cites established policies and guidance that can be used to evaluate critical information technology security controls. Further, the guide provides a foundation for conducting cybersecurity and information systems security-related audits that support Federal Information Security Management Act requirements. The guide is divided into seven sections. The first section outlines Federal agency cybersecurity roles and responsibilities. The second section covers cybersecurity policies and guidance for evaluating critical information technology security controls. The next section focuses on guidance regarding the use of vulnerability assessments and penetration testing Inspector General audit organizations can perform to evaluate the effectiveness of the system security and access controls implemented, and determine how well systems are protected when subject to attacks. The fourth and fifth sections cover information security continuous monitoring and cloud computing respectively. The sixth section consists of program steps for evaluating an agency's cybersecurity program and initiatives. The last section outlines program steps for conducting information system security-related audits and evaluations."
Department of Homeland Security, Office of Inspector General, Report No. OIG-14-43
Department of Homeland Security Office of Inspector General: https://www.oig.dhs.gov/